Key Information
- Sonar’s Vulnerability Research Team recently discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube, a popular open-source webmail software.
- When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser.
- Attackers can abuse the vulnerability to steal emails, contacts, and the victim's email password as well as send emails from the victim's account.
- In October 2023, ESET Research reported that a similar vulnerability was actively used by the APT group Winter Vivern to attack European government entities.
- Roundcube administrators should update to the patched version 1.6.8 or 1.5.8 as soon as possible.
- All discovered issues are tracked as CVE-2024-42008, CVE-2024-42009, CVE-2024-42010.
Introduction
Roundcube is a popular open-source webmail software that enables users to check their emails right in their browser without needing dedicated client software. It is included by default in the server hosting panel cPanel leading to millions of installations around the globe, according to Shodan. It is also used by universities as well as government agencies.
Government employees' emails are a valuable target for Advanced Persistent Threat (APT) groups engaged in espionage. ESET Research and Insikt Group both report documented attack campaigns by the Winter Vivern APT in 2023, targeting Roundcube servers of the Ukrainian military, Georgian Defense Ministry, and other European entities. These attacks abused a similar Cross-Site Scripting (XSS) zero-day vulnerability in Roundcube to steal emails or passwords from victims who viewed a malicious email.
Impact
Roundcube in version 1.6.7 and below, and in version 1.5.7 and below, is vulnerable to the XSS vulnerabilities CVE-2024-42009 and CVE-2024-42008, which have critical and high ratings respectively. These allow an unauthenticated attacker to steal emails and contacts, as well as send emails from a victim's account. All the victim user has to do is view a malicious email in Roundcube.
Attackers can gain a persistent foothold in the victim's browser across restarts, allowing them to exfiltrate emails continuously or steal the victim's password the next time it is entered. For a successful attack, no user interaction beyond viewing the attacker's email is required to exploit the critical XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user.
This video demonstrates how an attack could look like using a Roundcube test instance:
We won't disclose the technical details of the vulnerabilities at this time to give users time to update. We suspect that this won't stop dedicated attackers like Winter Vivern for long, who have already shown that they can discover similar XSS vulnerabilities on their own. We strongly advise Roundcube administrators to apply the latest patch, version 1.6.8, or 1.5.8, as soon as possible to protect their organization's users. Users who suspect that they are affected should change their email password and additionally clear the site data of the Roundcube site they are using in their browser.
Timeline
We want to thank the Roundcube maintainer Aleksander Machniak for the quick response and for publishing patches for the issues.
| Date | Action |
| 2024-06-18 | We report all issues to the Roundcube maintainers |
| 2024-06-18 | The maintainers acknowledge our report |
| 2024-07-17 | The maintainers send patches for review |
| 2024-07-18 | We send feedback for the patches |
| 2024-08-04 | The maintainers publish patched Roundcube versions 1.6.8 and 1.5.8 |
| 2024-08-05 | We publish this initial blog post |
*** This is a Security Bloggers Network syndicated blog from Sonar Blog RSS feed authored by Oskar Zeino-Mahmalat. Read the original post at: https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail